<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.35 (Ruby 2.6.10) -->
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-dnsop-structured-dns-error-25" category="std" consensus="true" submissionType="IETF" updates="8914" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.32.0 -->
  <front>
    <title abbrev="Structured DNS Error">Structured Error Data for Filtered DNS</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-structured-dns-error-25"/>
    <author fullname="Dan Wing">
      <organization abbrev="Citrix">Citrix Systems, Inc.</organization>
      <address>
        <postal>
          <country>United States of America</country>
        </postal>
        <email>danwing@gmail.com</email>
      </address>
    </author>
    <author fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <postal>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <country>India</country>
        </postal>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <author fullname="Neil Cook">
      <organization>Open-Xchange</organization>
      <address>
        <postal>
          <country>United Kingdom</country>
        </postal>
        <email>neil.cook@noware.co.uk</email>
      </address>
    </author>
    <author fullname="Mohamed Boucadair">
      <organization>Orange</organization>
      <address>
        <postal>
          <street>Rennes</street>
          <code>35000</code>
          <country>France</country>
        </postal>
        <email>mohamed.boucadair@orange.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="09"/>
    <area>Internet</area>
    <workgroup>DNS Operations Working Group</workgroup>
    <keyword>Customer experience</keyword>
    <keyword>Informed decision</keyword>
    <keyword>transparency</keyword>
    <keyword>enriched feedback</keyword>
    <abstract>
      <?line 82?>

<t>DNS filtering is widely deployed for various reasons, including
network security and policy enforcement. However, filtered DNS responses lack structured information
for end users to understand the reason for the filtering.
Existing mechanisms to provide explanatory details to end users cause harm
especially if the blocked DNS response is for HTTPS resources.</t>
      <t>This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of
the Extended DNS Error to provide details on the DNS filtering. Such
details can be parsed by the client and displayed, logged, or used for
other purposes.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-dnsop.github.io/draft-ietf-dnsop-structured-dns-error/draft-ietf-dnsop-structured-dns-error.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        dnsop Working Group mailing list (<eref target="mailto:dnsop@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/dnsop/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/dnsop/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error"/>.</t>
    </note>
  </front>
  <middle>
    <?line 95?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>DNS filters are deployed for a variety of reasons, e.g., endpoint
security, parental filtering, and filtering required by law
enforcement. Network-based security solutions such as firewalls and
Intrusion Prevention Systems (IPS) rely upon network traffic
inspection to implement perimeter-based security policies and operate
by filtering DNS responses. In a home network, DNS filtering is used for the
same reasons as above and additionally for parental control. Internet
Service Providers (ISPs) typically block access to some DNS domains due to a
requirement imposed by an external entity (e.g., law enforcement
agency) also performed using DNS-based content filtering.</t>
      <t>End users or network administrators leveraging DNS services that perform filtering may wish to receive more
explanatory information about such a filtering to resolve problems with the filter
-- for example, to contact the DNS service administrator to allowlist a DNS domain that
was erroneously filtered or to understand the reason a particular
domain was filtered. With that information, they can choose
to use another network, open a trouble ticket with the DNS service administrator to
resolve erroneous filtering, log the information, etc.</t>
      <t>For the DNS filtering mechanisms described in <xref target="existing-techniques"/>, the DNS
server can return extended error codes Blocked, Filtered, Censored, or
Forged Answer defined in <xref section="4" sectionFormat="of" target="RFC8914"/>. However, these codes
only explain that filtering occurred but lack detail for the user to
diagnose erroneous filtering.</t>
      <t>No matter which type of response is generated (forged IP address(es),
NXDOMAIN or empty answer, even with an extended error code), the end user
who triggered the DNS query has little chance to understand which
entity filtered the query, how to report a mistake in the filter, or
why the entity filtered it at all. This document describes a mechanism
to provide such detail.</t>
      <t>As noted in <xref section="6" sectionFormat="of" target="RFC7754"/>, promptly informing the endpoint that blocking has occurred provides necessary transparency to redress any errors, particularly as they relate to collateral damage introduced by errant filters.</t>
      <t>One of the other benefits of the approach described in this document is to eliminate the need to
"spoof" block pages for HTTPS resources. This is achieved since
clients implementing this approach would be able to display a
meaningful error message, and would not need to connect to such a
block page. This approach thus avoids the need to install a local root
certificate authority on those IT-managed devices.</t>
      <t>This document describes a format for machine-readable data in the
EXTRA-TEXT field of <xref target="RFC8914"/>. The document updates <xref section="2" sectionFormat="of" target="RFC8914"/>, which
says the information in EXTRA-TEXT field is intended for human
consumption (not automated parsing).</t>
      <t>This document does not recommend DNS filtering but provides a
mechanism for better transparency to explain to the end users why some DNS
queries are filtered.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses terms defined in DNS Terminology <xref target="RFC9499"/>.</t>
      <t>"Encrypted DNS" refers to any encrypted scheme to convey DNS messages,
for example, DNS over HTTPS (DoH) <xref target="RFC8484"/>, DNS over TLS (DoT) <xref target="RFC7858"/>, or
DNS over QUIC (DoQ) <xref target="RFC9250"/>.</t>
      <t>The document refers to an Extended DNS Error (EDE) using its purpose, not its
INFO-CODE as per Table 3 of <xref target="RFC8914"/>. "Forged Answer",
"Blocked", "Censored", and "Filtered" are thus used to refer to "Forged Answer (4)",
"Blocked (15)", "Censored (16)", and "Filtered (17)".</t>
      <t>In this document, "client security policy evaluation" refers to implementation-defined
decision-making performed by the DNS client or consuming application (e.g., web
browser) to
determine how, or whether, structured error information is used, displayed,
or acted upon.</t>
      <t>Structured DNS Error (SDE) is an EDNS(0) option indicating support for structured encoding of the EXTRA-TEXT field. See also <xref target="SDE"/>.</t>
      <t>"DNS administrator" refers to the party responsible for operating
and configuring the DNS server, including the definition of
filtering policies.</t>
      <t>"IT/InfoSec team" refers to the organizational team responsible
for receiving and handling end-user reports of misclassified DNS
filtering, including decisions on allowlisting domains or revising
filtering policies.</t>
    </section>
    <section anchor="existing-techniques">
      <name>DNS Filtering Techniques and Their Limitations</name>
      <t>DNS responses can be filtered by sending, e.g., a bogus (also called
"forged") response, NXDOMAIN error, or empty answer. Also, clients can be informed that filtering occurred by sending an
Extended DNS Error code defined in <xref target="RFC8914"/>. Each of these
methods have limitations that are discussed in the following subsections.</t>
      <section anchor="forged-responses">
        <name>Forged Responses</name>
        <t>The DNS response is forged to provide a list of IP addresses that
points to an HTTP(S) server alerting the end user about the reason for
blocking access to the requested domain (e.g., malware). If the host component <xref target="RFC3986"/>
of an HTTP URL is blocked, the network security device
(e.g., Customer Premises Equipment (CPE) or firewall) presents a block page instead of the HTTP
response from the content provider hosting that domain. This works successfully with HTTP.</t>
        <t>If this is an HTTPS URL, the network security device attempts to serve the block page over HTTPS.  In order to return a block page over HTTPS, the network security device uses a locally
generated root certificate and corresponding key pair. The local root certificate is
installed on the endpoint while the network security device stores a copy of the private key.
During the TLS handshake, the on-path network security device modifies the certificate
provided by the server and (re)signs it using the private key from the local root
certificate.</t>
        <t>Note that:</t>
        <ul spacing="normal">
          <li>
            <t>In deployments where a client is DNSSEC-aware and performs its own validation (DO=1), this approach becomes ineffective because DNSSEC
ensures the integrity and authenticity of DNS responses, preventing forged DNS
responses from being accepted.</t>
          </li>
          <li>
            <t>The HTTPS server hosted on the network security device will have access to the
client's IP address, the hostname, and the URL path component of the request. This information will be sensitive, as it will expose the end user's identity and the specific resource that an end user attempted to access.</t>
          </li>
          <li>
            <t>Configuring a local root certificate on endpoints is
not a viable option in several deployments like home networks,
schools, Small Office/Home Office (SOHO), or Small/Medium
Enterprise (SME). In these cases, the typical behavior is that
the filtered DNS response points to a server that will display
the block page. If the client is using HTTPS (via a web browser or
another application) this results in a certificate validation
error which gives no information to the end user about the reason
for the DNS filtering.</t>
          </li>
          <li>
            <t>Enterprise networks do not always assume that all the connected devices
are managed by the IT team or Mobile Device Management (MDM)
devices, especially in the quite common Bring Your Own Device
(BYOD) scenario. In addition, the local root certificate cannot
be installed on IoT devices without a device management tool.</t>
          </li>
          <li>
            <t>An end user does not know why the connection was prevented and,
consequently, may repeatedly try to reach the domain but with no
success. Frustrated, the end user may switch to an alternate
network that offers no DNS filtering against malware and
phishing, potentially compromising both security and
privacy. Furthermore, certificate errors train end users to click
through certificate errors, which is a bad security practice. To
eliminate the need for an end user to click through certificate
errors, an end user may manually install a local root certificate
on a host device. Doing so, however, is also a bad security
practice as it creates a security vulnerability that may be
exploited by a MITM attack. When a manually installed local root
certificate expires, the end user has to (again) manually install the
new local root certificate.</t>
          </li>
        </ul>
      </section>
      <section anchor="forged-nxdomain-answer">
        <name>Forged NXDOMAIN Answer</name>
        <t>The DNS response is forged to provide an NXDOMAIN answer, causing the DNS lookup to fail. This approach is incompatible with DNSSEC when the client performs validation, as the forged response will fail DNSSEC checks. However, in deployments where the client relies on the DNS server to perform DNSSEC validation, a filtering DNS server can forge an NXDOMAIN response for a valid domain, and the client will trust it. This undermines the integrity guarantees of DNSSEC, as the client has no way to distinguish between a genuine and a forged response. Further, the end user may not understand why a domain cannot be reached and may repeatedly attempt access without success. Frustrated, the end user may resort to using insecure methods to reach the domain, potentially compromising both security and privacy.</t>
      </section>
      <section anchor="extended-error-codes-edes">
        <name>Extended Error Codes (EDEs)</name>
        <t>The extended error codes Blocked and Filtered defined in
<xref section="4" sectionFormat="of" target="RFC8914"/> can be returned by a DNS server to provide
additional information about the cause of a DNS error.
These extended error codes do not suffer from the limitations
discussed in bullets (1) and (2), but the user still does not know the
exact reason nor is aware of the exact entity blocking the
access to the domain. For example, a DNS server may block access to a
domain based on the content category such as "Malware" to protect the
endpoint from malicious software, "Phishing" to prevent the end user from
revealing sensitive information to the attacker, etc. An end user may need to
know the contact details of the IT/InfoSec team to raise a complaint.
Further, the information conveyed by <xref target="RFC8914"/> is intended for
diagnostic purposes and is not structured for automated processing,
localization, or extensibility.</t>
        <t>This document defines a structured,
machine-readable format for conveying such details in the EXTRA-TEXT
field, enabling clients to process the information programmatically
and present it to end users (e.g., with localization support), while
allowing for extensibility and more granular, client security
policy-driven handling of the information. This specification requires
that clients only act upon such information when it is received
over an integrity-protected DNS response.</t>
      </section>
    </section>
    <section anchor="name-spec">
      <name>I-JSON in EXTRA-TEXT Field</name>
      <section anchor="json-names">
        <name>JSON Names</name>
        <t>DNS servers that are compliant with this specification and have received an indication that the client also supports this specification as per <xref target="client-request"/> send data in the EXTRA-TEXT field <xref target="RFC8914"/> as a JSON object encoded using the Internet JSON (I-JSON) message format <xref target="RFC7493"/>.</t>
        <t>This document defines the following JSON names:</t>
        <dl>
          <dt>c: (contact)</dt>
          <dd>
            <t>The contact details of the IT/InfoSec team to report misclassified
DNS filtering. This information is important for transparency and also to ease unblocking a legitimate domain name that got blocked due to wrong classification.</t>
          </dd>
          <dt/>
          <dd>
            <t>The field is a JSON array of contact URIs. When multiple contact details are provided, each contact URI is
represented as a separate array element in the JSON array.</t>
          </dd>
          <dt/>
          <dd>
            <t>Contact URIs conveyed in the "c" field <bcp14>MUST</bcp14> use URI schemes registered in <xref target="IANA-Contact"/>.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is optional.</t>
          </dd>
          <dt>j: (justification)</dt>
          <dd>
            <t>'UTF-8'-encoded <xref target="RFC5198"/> human-readable explanation for the DNS
filtering decision.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is particularly useful when no applicable sub-error code
is defined or provided for the returned Extended DNS Error.</t>
          </dd>
          <dt/>
          <dd>
            <t>The information conveyed in this field <bcp14>MUST NOT</bcp14> be used as input to
automated processing that affects security policy enforcement or DNS
protocol behavior.</t>
          </dd>
          <dt/>
          <dd>
            <t>The DNS client determines, according to its client security policy,
whether the contents of this field are displayed to the end user,
logged, or ignored.</t>
          </dd>
          <dt/>
          <dd>
            <t>Returning non-UTF-8 data, syntactically invalid content, or
deliberately meaningless values (including empty strings) indicates that
a DNS server is misbehaving.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is optional.</t>
          </dd>
          <dt>s: (sub-error)</dt>
          <dd>
            <t>An integer representing the sub-error code for this particular DNS filtering case.</t>
          </dd>
          <dt/>
          <dd>
            <t>The integer values are defined in the IANA-managed registry for Extended DNS Sub-Error Codes in <xref target="IANA-SubError"/>.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is optional.</t>
          </dd>
          <dt/>
          <dd>
            <t>When multiple blocking causes apply simultaneously
(e.g., a domain is blocked for both malware and phishing reasons),
a single SDE response is returned. If "s" is supplied, then the "s" field <bcp14>MUST</bcp14> convey the
primary blocking cause. In such case, the "j" field <bcp14>MUST</bcp14> be used to provide
additional context describing all applicable causes.</t>
          </dd>
          <dt>o: (organization)</dt>
          <dd>
            <t>'UTF-8'-encoded human-friendly name of the organization that filtered this particular DNS query.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is optional.</t>
          </dd>
          <dt>l: (language)</dt>
          <dd>
            <t>The "l" field indicates the language used for the JSON-encoded "j" and "o" fields.  The value of this field <bcp14>MUST</bcp14> conform to the
language tag syntax specified in <xref section="2.1" sectionFormat="of" target="RFC5646"/>.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is <bcp14>REQUIRED</bcp14> when either the "j" or "o" fields are present.</t>
          </dd>
        </dl>
        <t>The text in the "j" and "o" names can include international
characters. The text will be in natural language, chosen by the DNS administrator
to match its expected audience.</t>
        <t>The "o" field <bcp14>MAY</bcp14> be displayed to end users, subject to the conditions described in <xref target="security"/>.</t>
        <t>To avoid exceeding the maximum EDNS0 size <xref target="RFC9715"/>, the generated JSON values <bcp14>SHOULD</bcp14> be as short as
possible: concise text in the values for the "j"
and "o" names, and minified JSON (that is, without spaces or line
breaks between JSON elements). Otherwise, there is a risk that the response will get fragmented.</t>
        <t>The JSON data can be parsed to display to the user, logged, or
otherwise used to assist troubleshooting and diagnosis of DNS filtering.</t>
        <t>The sub-error codes provide a structured way to communicate more detailed and precise description of the cause of an error (e.g., distinguishing between malware-related blocking and phishing-related blocking under the general blocked error).</t>
        <ul empty="true">
          <li>
            <t>An alternate design for conveying the sub-error would be to define new EDE codes for these errors. However, such design is suboptimal because it requires replicating an error code for each EDE code to which the sub-error applies (e.g., "Malware" sub-error in <xref target="reg"/> would consume three EDE codes).</t>
          </li>
        </ul>
      </section>
      <section anchor="future-json-names-requirements">
        <name>Future JSON Names Requirements</name>
        <t>New JSON names may be defined in the future (see also <xref target="IANA-Names"/>). This section specifies the requirements to take into account for such names.</t>
        <t>New JSON names <bcp14>MUST</bcp14> consist only of lower-case ASCII characters, digits,
and hyphen-minus (that is, Unicode characters U+0061 through 007A,
U+0030 through U+0039, and U+002D). Also, these names <bcp14>MUST</bcp14> be 63
characters or shorter and it is <bcp14>RECOMMENDED</bcp14> they be as short as
possible to reduce contribution to exceeding maximum EDNS0 response
size. Refer to <xref target="RFC9715"/> for a discussion on IP fragmentation avoidance in DNS.</t>
      </section>
    </section>
    <section anchor="protocol-operation">
      <name>Protocol Operation</name>
      <section anchor="client-request">
        <name>Client Generating Request</name>
        <t>When generating a DNS query, a client that supports this specification
<bcp14>SHOULD</bcp14> include the Structured DNS Error (SDE) option defined in <xref target="SDE"/>, unless instructed by local policy otherwise.
The query should be sent over an encrypted DNS transport.</t>
        <t>The presence of the SDE option indicates that the client desires the
DNS server to include an EDE option in the DNS response when DNS
filtering is performed and that any data conveyed in the EXTRA-TEXT
field of the EDE option is encoded in accordance with
this specification.</t>
      </section>
      <section anchor="server-response">
        <name>Server Generating Response</name>
        <t>When the DNS server filters its DNS response to a
query (e.g., A or AAAA resource record query), the DNS response <bcp14>MAY</bcp14> contain an empty answer, NXDOMAIN, or (less
ideally) forged response, as desired by the DNS
server.</t>
        <t>If the query contained the SDE EDNS option (<xref target="client-request"/>), and the DNS server returns an EDE code of "Blocked", "Filtered", "Censored", or "Blocked by Upstream DNS Server", the DNS server <bcp14>SHOULD</bcp14> include additional detail in the EXTRA-TEXT field encoded as structured and machine-readable data in accordance with the present specification, unless configured otherwise. If the DNS response is sent over UDP and including the additional detail would cause the response to exceed the EDNS0 size
<xref target="RFC9715"/> (and thus setting TC=1), the server <bcp14>MUST</bcp14> first attempt to reduce the response size by omitting the "j" and "o" fields before omitting the EXTRA-TEXT entirely. In deployments using DoT, DoH, or DoQ, transport size limitations are unlikely to necessitate omission of structured data in the EXTRA-TEXT field.</t>
        <t>If the SDE option was not present in the DNS request, the DNS server <bcp14>MUST</bcp14> process the request in accordance with <xref target="RFC8914"/> and <bcp14>MUST NOT</bcp14> assume that the client supports this specification. This preserves compatibility with clients and servers that implement <xref target="RFC8914"/> but do not support this specification.</t>
        <t>Servers <bcp14>MAY</bcp14> return small TTL values in filtered DNS
responses (e.g., 10 seconds) to handle domain category and reputation
updates. Short TTLs allow for quick adaptation to dynamic changes in domain filtering decisions,
but can result in increased query traffic. In cases where updates are less frequent,
TTL values of 30 to 60 seconds might provide a better balance, reducing server load while
still ensuring reasonable flexibility for updates.</t>
        <t>If the query includes the SDE option as per <xref target="client-request"/>, the server <bcp14>MUST
NOT</bcp14> return the "Forged Answer" extended error code because the client
can take advantage of EDE's more sophisticated error reporting (e.g.,
"Filtered" or "Blocked").  Continuing to send "Forged
Answer" even to an EDE-supporting client will cause the persistence of
the drawbacks described in <xref target="existing-techniques"/>.</t>
        <t>When the "Censored" extended error code is included in the DNS response,
the "c", "j", "o", and "l" fields may be conveyed in the EXTRA-TEXT field.
The sub-error codes defined in this specification are not applicable to
the "Censored" extended error code and <bcp14>MUST NOT</bcp14> be used in conjunction with it.
Future specifications may update this behavior by defining sub-error codes
applicable to "Censored".</t>
      </section>
      <section anchor="client-processing">
        <name>Client Processing Response</name>
        <t>On receipt of a DNS response with an EDE option from a
DNS server, the following ordered actions are performed on the EXTRA-TEXT
field:</t>
        <ol spacing="normal" type="1"><li>
            <t>If the the response is not received over an encrypted DNS transport, the
DNS client <bcp14>MUST NOT</bcp14> act upon data in the EXTRA-TEXT field, as the data
is vulnerable  to
modification by an on-path attacker. An attacker can inject or
modify a structured DNS error response in transit without detection,
enabling fabrication of filtering information (e.g., misleading contact
information or false resolver identity information) that appears to
originate from the resolver. The data <bcp14>MAY</bcp14> be retained for diagnostic or
client security policy evaluation purposes.</t>
          </li>
          <li>
            <t>The DNS response <bcp14>MUST</bcp14> also contain an EDE code of
"Blocked by Upstream DNS Server", "Blocked", "Censored", or "Filtered" <xref target="RFC8914"/>,
otherwise the EXTRA-TEXT field is discarded.</t>
          </li>
          <li>
            <t>Servers that do not support this specification might use plain text in the
EXTRA-TEXT field. To ensure compatibility with those, DNS clients <bcp14>SHOULD</bcp14> handle both plaintext and structured content. The client attempts to parse the EXTRA-TEXT field as I-JSON. If parsing fails or the content is not valid I-JSON, the client <bcp14>MUST</bcp14> treat the data as invalid and <bcp14>MUST NOT</bcp14> process it according to this specification. The client <bcp14>MAY</bcp14> instead process the EXTRA-TEXT field as unstructured text as specified in <xref target="RFC8914"/>.</t>
          </li>
          <li>
            <t>If the JSON object contains an "s" field and the sub-error code
is not defined as applicable to the accompanying Extended DNS Error
(EDE) code, the client <bcp14>MUST</bcp14> ignore the value of the "s" field
and continue processing the remaining fields in accordance with this
specification.</t>
          </li>
          <li>
            <t>If the EXTRA-TEXT field does not contain at least one of the JSON
names "c", "j", or "s", or if all of the fields that are present have
empty values, the entire JSON object <bcp14>MUST</bcp14> be discarded.</t>
          </li>
          <li>
            <t>If the JSON object contains a "c" field any of its Contact URIs
with schemes not registered in the <xref target="IANA-Contact"/> registry are
ignored. Remaining Contact URIs using registered schemes can be
processed.</t>
          </li>
          <li>
            <t>If the identity of the DNS server cannot be verified (e.g., when
using opportunistic privacy such as <xref section="5" sectionFormat="of" target="RFC8310"/> or opportunistic discovery <xref target="RFC9462"/>), the DNS client <bcp14>MUST</bcp14> ignore the "c", "j", and "o" fields, as these fields may influence end user behavior and are vulnerable to active attacks in the absence of resolver authentication. If the DNS response was received over an encrypted connection without server authentication, the client <bcp14>MAY</bcp14> process the "s" field and other parts of the response, as the "s" field is a registry-defined, enumerated value and does not contain free-form text.</t>
          </li>
          <li>
            <t>If the DNS client uses an authenticated connection to the DNS server (e.g., when
using a strict privacy profile for DoT (<xref section="5" sectionFormat="of" target="RFC8310"/>) or an authenticated DoH or DoQ connection), this mitigates both passive eavesdropping and client redirection (at the expense of providing no DNS service if such a connection is not available). In such cases, the DNS client <bcp14>MAY</bcp14> process the EXTRA-TEXT field of the DNS response.</t>
          </li>
          <li>
            <t>The DNS client <bcp14>MUST</bcp14> ignore any other JSON names that it does not support.</t>
          </li>
        </ol>
        <ul empty="true">
          <li>
            <t>Note that the strict and opportunistic privacy profiles as defined in <xref target="RFC8310"/> only apply to DoT; there has been
no such distinction made for DoH.</t>
          </li>
        </ul>
      </section>
      <section anchor="SDE">
        <name>Structured DNS Error (SDE) EDNS(0) Option Format</name>
        <t>The Structured DNS Error (SDE) EDNS(0) option is used by a client to
indicate support for I-JSON encoding in the EXTRA-TEXT field of an
Extended DNS Error (EDE) option.</t>
        <t>The SDE option has no OPTION-DATA. The OPTION-LENGTH field <bcp14>MUST</bcp14>
be set to 0. A server receiving an SDE option with a non-zero
OPTION-LENGTH <bcp14>MUST</bcp14> silently ignore the OPTION-DATA.</t>
        <t>The presence of the SDE option in a query indicates that the client
supports processing the EXTRA-TEXT field in accordance with this
specification.</t>
      </section>
    </section>
    <section anchor="new-sub-error-codes-definition">
      <name>New Sub-Error Codes Definition</name>
      <t>The document defines the following new IANA-registered Sub-Error codes. See <xref target="IANA-SubError"/>.</t>
      <section anchor="policy-reserved">
        <name>Reserved</name>
        <t>This sub-error code value <bcp14>MUST NOT</bcp14> be sent. If received, it has no meaning.</t>
      </section>
      <section anchor="policy-network">
        <name>Network Operator Policy</name>
        <t>The code indicates that the request was filtered according to a policy imposed by the operator of the local network (where local network is a relative term, e.g., it may refer to a Local Area Network or to the network of the ISP selected by the end user).</t>
      </section>
      <section anchor="policy-dns">
        <name>DNS Operator Policy</name>
        <t>The code indicates that the request was filtered according to policy determined by the operator of the DNS server. This is different from the "Network Operator Policy" code when a third-party DNS resolver is used.</t>
      </section>
    </section>
    <section anchor="new-extended-dns-errors">
      <name>New Extended DNS Errors</name>
      <t>This document defines an addition to the EDE codes defined in <xref target="RFC8914"/>.</t>
      <section anchor="extended-dns-error-code-tba1-blocked-by-upstream-dns-server">
        <name>Extended DNS Error Code TBA1 - Blocked by Upstream DNS Server</name>
        <t>The DNS server is unable to respond to the request
because the domain is on a blocklist due to an internal security policy
imposed by an upstream DNS server. This error code
is useful in deployments where a network-provided DNS forwarder
is configured to use an external resolver that filters malicious
domains. When the DNS forwarder receives a Blocked (15) error code
from the upstream DNS server, it can replace it with
"Blocked by Upstream DNS Server" (TBA1) before forwarding
the reply to the DNS client. Additionally, the EXTRA-TEXT field may
be forwarded to the DNS client.</t>
        <t>Implementations should ensure that the communication channel with the
upstream DNS server provides adequate integrity protection to mitigate
the threats described in step 1 of <xref target="client-processing"/>.</t>
      </section>
    </section>
    <section anchor="examples">
      <name>Examples</name>
      <t>An example showing the nameserver at 'ns.example.net' that filtered a
DNS "A" record query for 'example.org' is provided in <xref target="example-json"/>.</t>
      <figure anchor="example-json">
        <name>JSON Returned in EXTRA-TEXT Field of Extended DNS Error Response</name>
        <artwork><![CDATA[
{
  "c": [
    "tel:+358-555-1234567"
  ],
  "j": "malware present for 23 days",
  "s": 1,
  "o": "example-org",
  "l": "en"
}
]]></artwork>
      </figure>
      <t>In <xref target="example-json-minified"/> the same content is shown with minified JSON (no
whitespace, no blank lines) with <tt>'\'</tt> line wrapping per <xref target="RFC8792"/>.</t>
      <figure anchor="example-json-minified">
        <name>Minified Response</name>
        <artwork><![CDATA[
{ "c":["tel:+358-555-1234567"],\
"j":"malware present for 23 days",\
"s":1,\
"o":"example-org",\
"l":"en" }
]]></artwork>
      </figure>
      <t><xref target="example-dig"/> shows how the SDE and EDE options appear in a <tt>dig</tt> response for the same query.</t>
      <figure anchor="example-dig">
        <name>dig Response Showing SDE and EDE Options</name>
        <artwork><![CDATA[
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=TBD1 (Structured DNS Error): (no data)
; EDE: 15 (Blocked): ({"c":["tel:+358-555-1234567"],\
  "j":"malware present for 23 days",\
  "s":1,"o":"example-org","l":"en"})
]]></artwork>
      </figure>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>When a forwarder receives an EDE option, whether or not (and how) to pass along JSON information in the
EXTRA-TEXT field to its client is implementation-dependent <xref target="RFC5625"/> and depends on operator policy. Implementations <bcp14>MAY</bcp14> choose not to
forward the JSON information, or they <bcp14>MAY</bcp14> choose to create a new EDE option that conveys the information in the
"c", "s", and "j" fields encoded in the JSON object.</t>
      <t>The application that triggered the DNS request may have a client security policy to override the contact information (e.g., redirect all complaint calls to a single contact point). In such cases, the content of the "c" attribute <bcp14>MAY</bcp14> be ignored.</t>
      <section anchor="backward-compatibility">
        <name>Backward Compatibility</name>
        <t>Future extensions <bcp14>MUST NOT</bcp14> introduce mandatory JSON attributes, as existing implementations are required to ignore unknown JSON names (see <xref target="client-processing"/>).</t>
      </section>
      <section anchor="client-updates">
        <name>Client Updates</name>
        <t>The specification relies on several IANA-maintained registries. In particular, since the content of these registries may change with time, clients that implement this extension have to periodically update the list of supported values in the "Contact URI Schemes" registry <xref target="IANA-Contact"/> to avoid discarding a recently-added Contact URI.</t>
      </section>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <section anchor="authentication-and-confidentiality">
        <name>Authentication and Confidentiality</name>
        <t>Security considerations in <xref section="6" sectionFormat="of" target="RFC8914"/> apply to this
document. <xref target="RFC8914"/> cautions against relying on EDE information because it may be unauthenticated and transmitted in cleartext. This specification requires the use of authenticated, integrity-protected DNS transports (e.g., DoT, DoH, or DoQ). Such transports <bcp14>MUST</bcp14> be based on TLS 1.3 <xref target="RFC8446"/> or later.  Under these conditions, EDE information is integrity-protected, reducing the risks associated with relying on structured EDE content.</t>
        <t>To minimize impact of active on-path attacks on the DNS channel, the
client validates the response as described in <xref target="client-processing"/>.</t>
      </section>
      <section anchor="restrictions-on-display-of-c-o-and-j-fields">
        <name>Restrictions on Display of "c", "o", and "j" Fields</name>
        <t>A client might choose to display the information in the "c" field
to the end user if and only if the encrypted resolver has sufficient
reputation, according to some client security policy (e.g.,
administrative configuration, or a built-in list of respectable
resolvers). This limits the ability of a malicious encrypted resolver
to cause harm. For example, an end user can use the details in the "c" field to contact an attacker
to solve the problem of being unable to reach a domain. The attacker can mislead the end user to
install malware or spyware to compromise the device security posture or mislead the end user to reveal
personal data.
If the client decides not to display all of the
information in the EXTRA-TEXT field, it can be logged for diagnostics
purpose and the client can only display the resolver hostname that
blocked the domain, error description for the EDE code and the
sub-error description for the "s" field to the end user.</t>
        <t>The same client security policy considerations apply to the display of the "j" field, as it
contains free-form, human-readable text that may influence end user behavior.</t>
        <t>When displaying the free-form text of "o", the client <bcp14>MUST
NOT</bcp14> make any of those elements into actionable (clickable) links and these
fields need to be rendered as text, not as HTML. The contact details of "c" can be made
into clickable links to provide a convenient way for end users to initiate, e.g., voice calls. The client might
choose to display the contact details only when the identity of the DNS server is verified.</t>
        <t>Clients <bcp14>MUST NOT</bcp14> automatically initiate connections to URIs derived from the EXTRA-TEXT field. Doing so could allow a resolver to silently report client activity to third parties, enable denial-of-service reflection attacks, or be used to entrap a client. The restriction of Contact URI schemes to "tel" and "mailto" is intentional, as these schemes do not result in automatic HTTP connections.</t>
        <t>Furthermore, clients <bcp14>MUST NOT</bcp14> display the value of the <tt>"o"</tt> field to the end user unless one of the following
conditions is met:</t>
        <ul spacing="normal">
          <li>
            <t>The value matches a registered organization name in a trust list maintained by the client, OR</t>
          </li>
          <li>
            <t>The value consists solely of an organization name and does not contain any additional free-form content (e.g., URLs), as determined by client security policy or heuristics.</t>
          </li>
        </ul>
        <t>If the organization name cannot be verified through registry checks or heuristics, the client <bcp14>MUST NOT</bcp14> display the "o" field to the end user.</t>
        <t>It is beyond the scope of this document to describe how the trust list is created and updated, and how the structured DNS error response interacts with the trust list to influence user experience or user interface elements.</t>
        <t>DNS clients <bcp14>MAY</bcp14> keep all fields conveyed in the EXTRA-TEXT field for evaluation according to the client security  policy. Such data <bcp14>MUST NOT</bcp14> be automatically trusted, displayed to end users, or used to influence security decisions without appropriate validation.</t>
      </section>
      <section anchor="security-risks-from-legacy-dns-forwarders">
        <name>Security Risks from Legacy DNS Forwarders</name>
        <t>An attacker might inject (or modify) the EDE EXTRA-TEXT field with a
DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy or
DNS forwarder will forward that attacker-controlled EDE option.  To
prevent such an attack, clients can be configured to process EDE only from
explicitly configured DNS servers or utilize RESINFO
<xref target="RFC9606"/>.</t>
      </section>
      <section anchor="privacy-considerations">
        <name>Privacy Considerations</name>
        <t>The EXTRA-TEXT field may reveal details about the filtering organization and its policies. Clients <bcp14>MUST NOT</bcp14> log or transmit the contents of the EXTRA-TEXT field to third parties without the end user's knowledge.</t>
        <t>This specification requires the use of an encrypted DNS transport (e.g., DoT, DoH, or DoQ), which protects both the DNS query and the structured error response from passive observers.</t>
      </section>
    </section>
    <section anchor="IANA">
      <name>IANA Considerations</name>
      <t>This document requests five IANA actions as described in the following subsections.</t>
      <ul empty="true">
        <li>
          <t>Notes to the RFC Editor: Please replace RFCXXXX with the RFC number assigned to this document and "TBA1" with the value assigned by IANA, and replace "TBD1" in <xref target="example-dig"/> with the value assigned by IANA.</t>
        </li>
      </ul>
      <section anchor="structured-dns-error-edns-option">
        <name>Structured DNS Error EDNS Option</name>
        <t>IANA is requested to register the following new EDNS(0) Option Code in the
"DNS EDNS0 Option Codes (OPT)" registry under the "Domain Name System (DNS) Parameters" registry group <xref target="IANA-DNS"/>:</t>
        <dl>
          <dt>Value:</dt>
          <dd>
            <t>TBD1</t>
          </dd>
          <dt>Name:</dt>
          <dd>
            <t>Structured DNS Error</t>
          </dd>
          <dt>Status:</dt>
          <dd>
            <t>Standard</t>
          </dd>
          <dt>Reference:</dt>
          <dd>
            <t>RFC XXXX</t>
          </dd>
        </dl>
      </section>
      <section anchor="IANA-Names">
        <name>New Registry for JSON Names</name>
        <t>This document requests IANA to create a new registry, entitled "EXTRA-TEXT JSON Names"
under "Extended DNS Error Codes" registry, which is under the "Domain Name System (DNS) Parameters" registry group <xref target="IANA-DNS"/>. The registration request for a new JSON name must include the following fields:</t>
        <dl>
          <dt>JSON Name:</dt>
          <dd>
            <t>Specifies the name of an attribute that is present in the JSON data enclosed in EXTRA-TEXT field. The name must follow the guidelines in <xref target="name-spec"/>.</t>
          </dd>
          <dt>Field Meaning:</dt>
          <dd>
            <t>Provides a brief, human-readable label summarizing the purpose of the JSON attribute.</t>
          </dd>
          <dt>Short description:</dt>
          <dd>
            <t>Includes a short description of the requested JSON name.</t>
          </dd>
          <dt>Specification:</dt>
          <dd>
            <t>Provides a pointer to the reference document that specifies the attribute.</t>
          </dd>
        </dl>
        <t>The registry is initially populated with the following values:</t>
        <table anchor="reg-names">
          <name>Initial JSON Names Registry</name>
          <thead>
            <tr>
              <th align="center">JSON Name</th>
              <th align="left">Field Meaning</th>
              <th align="left">Description</th>
              <th align="center">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">c</td>
              <td align="left">contact</td>
              <td align="left">The contact details of the IT/InfoSec team to report misclassified DNS filtering</td>
              <td align="center">
                <xref target="name-spec"/> of RFCXXXX</td>
            </tr>
            <tr>
              <td align="center">j</td>
              <td align="left">justification</td>
              <td align="left">UTF-8-encoded <xref target="RFC5198"/> textual justification for a particular DNS filtering</td>
              <td align="center">
                <xref target="name-spec"/> of RFCXXXX</td>
            </tr>
            <tr>
              <td align="center">s</td>
              <td align="left">sub-error</td>
              <td align="left">Integer representing the sub-error code for this DNS filtering case</td>
              <td align="center">
                <xref target="name-spec"/> of RFCXXXX</td>
            </tr>
            <tr>
              <td align="center">o</td>
              <td align="left">organization</td>
              <td align="left">UTF-8-encoded human-friendly name of the organization that filtered this particular DNS query</td>
              <td align="center">
                <xref target="name-spec"/> of RFCXXXX</td>
            </tr>
            <tr>
              <td align="center">l</td>
              <td align="left">language</td>
              <td align="left">Indicates the language of the "j" and "o" fields as defined in <xref target="RFC5646"/></td>
              <td align="center">
                <xref target="name-spec"/> of RFCXXXX</td>
            </tr>
          </tbody>
        </table>
        <t>New JSON names are registered via IETF Review (<xref section="4.8" sectionFormat="of" target="RFC8126"/>) and their formatting
constraints are described in <xref target="name-spec"/>.</t>
      </section>
      <section anchor="IANA-Contact">
        <name>New Registry for Contact URI Scheme</name>
        <t>This document requests IANA to create a new registry, entitled "Contact URI Schemes"
under "Extended DNS Error Codes" registry, which is under the "Domain Name System (DNS) Parameters" registry group <xref target="IANA-DNS"/>. The registration request for a new Contact URI scheme has to include the following fields:</t>
        <ul spacing="normal">
          <li>
            <t>Name: URI scheme name.</t>
          </li>
          <li>
            <t>Meaning: Provides a short description of the scheme.</t>
          </li>
          <li>
            <t>Reference: Provides a pointer to an IETF-approved specification that defines
the URI scheme.</t>
          </li>
        </ul>
        <t>The Contact URI scheme registry is initially populated with the
following schemes:</t>
        <table>
          <thead>
            <tr>
              <th align="center">Name</th>
              <th align="left">Meaning</th>
              <th align="center">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">tel</td>
              <td align="left">Telephone Number</td>
              <td align="center">
                <xref target="RFC3966"/></td>
            </tr>
            <tr>
              <td align="center">mailto</td>
              <td align="left">Internet mail</td>
              <td align="center">
                <xref target="RFC6068"/></td>
            </tr>
          </tbody>
        </table>
        <t>The registration procedure for adding new Contact URI schemes to the "Contact URI Schemes" registry is "IETF
Review" as defined in <xref section="4.8" sectionFormat="of" target="RFC8126"/>.</t>
      </section>
      <section anchor="IANA-SubError">
        <name>New Registry for Extended DNS Sub-Error Codes</name>
        <t>This document requests IANA to create a new registry, entitled "Extended DNS Sub-Error Codes"
under "Extended DNS Error Codes" registry, which is under the "Domain Name System (DNS) Parameters" registry group <xref target="IANA-DNS"/>. The registration request for a new sub-error code must include the
following fields:</t>
        <ul spacing="normal">
          <li>
            <t>Number: Is the wire format sub-error code (range 0-255).</t>
          </li>
          <li>
            <t>Meaning: Provides a short description of the sub-error.</t>
          </li>
          <li>
            <t>EDE Codes Applicability: Indicates which Extended DNS Error (EDE) Codes apply to this sub-error code.</t>
          </li>
          <li>
            <t>Reference: Provides a pointer to an IETF-approved specification that registered
the code and/or an authoritative specification that describes the
meaning of this code.</t>
          </li>
        </ul>
        <t>The Sub-Error Code registry is initially populated with the
following values:</t>
        <table anchor="reg">
          <name>Initial Sub-Error Code Registry</name>
          <thead>
            <tr>
              <th align="center">Number</th>
              <th align="left">Meaning</th>
              <th align="left">EDE Codes Applicability</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">0</td>
              <td align="left">Reserved</td>
              <td align="left">Not used</td>
              <td align="left">
                <xref target="policy-reserved"/> of this document</td>
            </tr>
            <tr>
              <td align="center">1</td>
              <td align="left">Malware</td>
              <td align="left">"Blocked", "Blocked by Upstream DNS Server", "Filtered"</td>
              <td align="left">Section 5.5 of <xref target="RFC5901"/></td>
            </tr>
            <tr>
              <td align="center">2</td>
              <td align="left">Phishing</td>
              <td align="left">"Blocked", "Blocked by Upstream DNS Server", "Filtered"</td>
              <td align="left">Section 5.5 of <xref target="RFC5901"/></td>
            </tr>
            <tr>
              <td align="center">3</td>
              <td align="left">Spam</td>
              <td align="left">"Blocked", "Blocked by Upstream DNS Server", "Filtered"</td>
              <td align="left">
                <xref target="RFC4949"/></td>
            </tr>
            <tr>
              <td align="center">4</td>
              <td align="left">Spyware</td>
              <td align="left">"Blocked", "Blocked by Upstream DNS Server", "Filtered"</td>
              <td align="left">
                <xref target="RFC4949"/></td>
            </tr>
            <tr>
              <td align="center">5</td>
              <td align="left">Network operator policy</td>
              <td align="left">"Blocked"</td>
              <td align="left">
                <xref target="policy-network"/> of this document</td>
            </tr>
            <tr>
              <td align="center">6</td>
              <td align="left">DNS operator policy</td>
              <td align="left">"Blocked"</td>
              <td align="left">
                <xref target="policy-dns"/> of this document</td>
            </tr>
          </tbody>
        </table>
        <t>The registration procedure to add new Sub-Error Codes is IETF Review as defined in <xref section="4.8" sectionFormat="of" target="RFC8126"/>.</t>
      </section>
      <section anchor="new-extended-dns-error-code">
        <name>New Extended DNS Error Code</name>
        <t>IANA is requested to assign the following Extended DNS Error code from the "Extended DNS Error Codes"
registry under the "Domain Name System (DNS) Parameters" registry group <xref target="IANA-DNS"/>:</t>
        <table anchor="reg-ede">
          <name>New DNS Error Code</name>
          <thead>
            <tr>
              <th align="center">INFO-CODE</th>
              <th align="left">Purpose</th>
              <th align="center">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">TBA1</td>
              <td align="left">Blocked by Upstream DNS Server</td>
              <td align="center">RFCXXXX</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8914">
          <front>
            <title>Extended DNS Errors</title>
            <author fullname="W. Kumari" initials="W." surname="Kumari"/>
            <author fullname="E. Hunt" initials="E." surname="Hunt"/>
            <author fullname="R. Arends" initials="R." surname="Arends"/>
            <author fullname="W. Hardaker" initials="W." surname="Hardaker"/>
            <author fullname="D. Lawrence" initials="D." surname="Lawrence"/>
            <date month="October" year="2020"/>
            <abstract>
              <t>This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8914"/>
          <seriesInfo name="DOI" value="10.17487/RFC8914"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9499">
          <front>
            <title>DNS Terminology</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t>
              <t>This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="219"/>
          <seriesInfo name="RFC" value="9499"/>
          <seriesInfo name="DOI" value="10.17487/RFC9499"/>
        </reference>
        <reference anchor="RFC7493">
          <front>
            <title>The I-JSON Message Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray"/>
            <date month="March" year="2015"/>
            <abstract>
              <t>I-JSON (short for "Internet JSON") is a restricted profile of JSON designed to maximize interoperability and increase confidence that software can process it successfully with predictable results.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7493"/>
          <seriesInfo name="DOI" value="10.17487/RFC7493"/>
        </reference>
        <reference anchor="RFC5198">
          <front>
            <title>Unicode Format for Network Interchange</title>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <author fullname="M. Padlipsky" initials="M." surname="Padlipsky"/>
            <date month="March" year="2008"/>
            <abstract>
              <t>The Internet today is in need of a standardized form for the transmission of internationalized "text" information, paralleling the specifications for the use of ASCII that date from the early days of the ARPANET. This document specifies that format, using UTF-8 with normalization and specific line-ending sequences. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5198"/>
          <seriesInfo name="DOI" value="10.17487/RFC5198"/>
        </reference>
        <reference anchor="RFC5646">
          <front>
            <title>Tags for Identifying Languages</title>
            <author fullname="A. Phillips" initials="A." role="editor" surname="Phillips"/>
            <author fullname="M. Davis" initials="M." role="editor" surname="Davis"/>
            <date month="September" year="2009"/>
            <abstract>
              <t>This document describes the structure, content, construction, and semantics of language tags for use in cases where it is desirable to indicate the language used in an information object. It also describes how to register values for use in language tags and the creation of user-defined extensions for private interchange. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="47"/>
          <seriesInfo name="RFC" value="5646"/>
          <seriesInfo name="DOI" value="10.17487/RFC5646"/>
        </reference>
        <reference anchor="RFC8310">
          <front>
            <title>Usage Profiles for DNS over TLS and DNS over DTLS</title>
            <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
            <author fullname="D. Gillmor" initials="D." surname="Gillmor"/>
            <author fullname="T. Reddy" initials="T." surname="Reddy"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>This document discusses usage profiles, based on one or more authentication mechanisms, which can be used for DNS over Transport Layer Security (TLS) or Datagram TLS (DTLS). These profiles can increase the privacy of DNS transactions compared to using only cleartext DNS. This document also specifies new authentication mechanisms -- it describes several ways that a DNS client can use an authentication domain name to authenticate a (D)TLS connection to a DNS server. Additionally, it defines (D)TLS protocol profiles for DNS clients and servers implementing DNS over (D)TLS. This document updates RFC 7858.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8310"/>
          <seriesInfo name="DOI" value="10.17487/RFC8310"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC3966">
          <front>
            <title>The tel URI for Telephone Numbers</title>
            <author fullname="H. Schulzrinne" initials="H." surname="Schulzrinne"/>
            <date month="December" year="2004"/>
            <abstract>
              <t>This document specifies the URI (Uniform Resource Identifier) scheme "tel". The "tel" URI describes resources identified by telephone numbers. This document obsoletes RFC 2806. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3966"/>
          <seriesInfo name="DOI" value="10.17487/RFC3966"/>
        </reference>
        <reference anchor="RFC6068">
          <front>
            <title>The 'mailto' URI Scheme</title>
            <author fullname="M. Duerst" initials="M." surname="Duerst"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <author fullname="J. Zawinski" initials="J." surname="Zawinski"/>
            <date month="October" year="2010"/>
            <abstract>
              <t>This document defines the format of Uniform Resource Identifiers (URIs) to identify resources that are reached using Internet mail. It adds better internationalization and compatibility with Internationalized Resource Identifiers (IRIs; RFC 3987) to the previous syntax of 'mailto' URIs (RFC 2368). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6068"/>
          <seriesInfo name="DOI" value="10.17487/RFC6068"/>
        </reference>
        <reference anchor="RFC5901">
          <front>
            <title>Extensions to the IODEF-Document Class for Reporting Phishing</title>
            <author fullname="P. Cain" initials="P." surname="Cain"/>
            <author fullname="D. Jevans" initials="D." surname="Jevans"/>
            <date month="July" year="2010"/>
            <abstract>
              <t>This document extends the Incident Object Description Exchange Format (IODEF) defined in RFC 5070 to support the reporting of phishing events, which is a particular type of fraud. These extensions are flexible enough to support information gleaned from activities throughout the entire electronic fraud cycle -- from receipt of the phishing lure to the disablement of the collection site. Both simple reporting and complete forensic reporting are possible, as is consolidating multiple incidents. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5901"/>
          <seriesInfo name="DOI" value="10.17487/RFC5901"/>
        </reference>
        <reference anchor="RFC4949">
          <front>
            <title>Internet Security Glossary, Version 2</title>
            <author fullname="R. Shirey" initials="R." surname="Shirey"/>
            <date month="August" year="2007"/>
            <abstract>
              <t>This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="FYI" value="36"/>
          <seriesInfo name="RFC" value="4949"/>
          <seriesInfo name="DOI" value="10.17487/RFC4949"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="IANA-DNS" target="https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#extended-dns-error-codes">
          <front>
            <title>Domain Name System (DNS) Parameters, Extended DNS Error Codes</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RPZ" target="https://dnsrpz.info">
          <front>
            <title>Response Policy Zone</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="Impl-1" target="https://datatracker.ietf.org/meeting/116/materials/slides-116-dnsop-dns-errors-implementation-proposal-slides-116-dnsop-update-on-dns-errors-implementation-00">
          <front>
            <title>Use of DNS Errors To improve Browsing User Experience With network based malware protection</title>
            <author>
              <organization/>
            </author>
            <date year="2023" month="March"/>
          </front>
        </reference>
        <reference anchor="RFC7754">
          <front>
            <title>Technical Considerations for Internet Service Blocking and Filtering</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="A. Cooper" initials="A." surname="Cooper"/>
            <author fullname="O. Kolkman" initials="O." surname="Kolkman"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="E. Nordmark" initials="E." surname="Nordmark"/>
            <date month="March" year="2016"/>
            <abstract>
              <t>The Internet is structured to be an open communications medium. This openness is one of the key underpinnings of Internet innovation, but it can also allow communications that may be viewed as undesirable by certain parties. Thus, as the Internet has grown, so have mechanisms to limit the extent and impact of abusive or objectionable communications. Recently, there has been an increasing emphasis on "blocking" and "filtering", the active prevention of such communications. This document examines several technical approaches to Internet blocking and filtering in terms of their alignment with the overall Internet architecture. When it is possible to do so, the approach to blocking and filtering that is most coherent with the Internet architecture is to inform endpoints about potentially undesirable services, so that the communicants can avoid engaging in abusive or objectionable communications. We observe that certain filtering and blocking approaches can cause unintended consequences to third parties, and we discuss the limits of efficacy of various approaches.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7754"/>
          <seriesInfo name="DOI" value="10.17487/RFC7754"/>
        </reference>
        <reference anchor="RFC8484">
          <front>
            <title>DNS Queries over HTTPS (DoH)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <date month="October" year="2018"/>
            <abstract>
              <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8484"/>
          <seriesInfo name="DOI" value="10.17487/RFC8484"/>
        </reference>
        <reference anchor="RFC7858">
          <front>
            <title>Specification for DNS over Transport Layer Security (TLS)</title>
            <author fullname="Z. Hu" initials="Z." surname="Hu"/>
            <author fullname="L. Zhu" initials="L." surname="Zhu"/>
            <author fullname="J. Heidemann" initials="J." surname="Heidemann"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <author fullname="D. Wessels" initials="D." surname="Wessels"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="May" year="2016"/>
            <abstract>
              <t>This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t>
              <t>This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7858"/>
          <seriesInfo name="DOI" value="10.17487/RFC7858"/>
        </reference>
        <reference anchor="RFC9250">
          <front>
            <title>DNS over Dedicated QUIC Connections</title>
            <author fullname="C. Huitema" initials="C." surname="Huitema"/>
            <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <date month="May" year="2022"/>
            <abstract>
              <t>This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9250"/>
          <seriesInfo name="DOI" value="10.17487/RFC9250"/>
        </reference>
        <reference anchor="RFC3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC9715">
          <front>
            <title>IP Fragmentation Avoidance in DNS over UDP</title>
            <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
            <author fullname="P. Vixie" initials="P." surname="Vixie"/>
            <date month="January" year="2025"/>
            <abstract>
              <t>The widely deployed Extension Mechanisms for DNS (EDNS(0)) feature in the DNS enables a DNS receiver to indicate its received UDP message size capacity, which supports the sending of large UDP responses by a DNS server. Large DNS/UDP messages are more likely to be fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting the response size where possible and signaling the need to upgrade from UDP to TCP transport where necessary. This document describes techniques to avoid IP fragmentation in DNS.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9715"/>
          <seriesInfo name="DOI" value="10.17487/RFC9715"/>
        </reference>
        <reference anchor="RFC9462">
          <front>
            <title>Discovery of Designated Resolvers</title>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="E. Kinnear" initials="E." surname="Kinnear"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <author fullname="T. Jensen" initials="T." surname="Jensen"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>This document defines Discovery of Designated Resolvers (DDR), a set of mechanisms for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration. An Encrypted DNS Resolver discovered in this manner is referred to as a "Designated Resolver". These mechanisms can be used to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. These mechanisms are designed to be limited to cases where Unencrypted DNS Resolvers and their Designated Resolvers are operated by the same entity or cooperating entities. It can also be used to discover support for encrypted DNS protocols when the name of an Encrypted DNS Resolver is known.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9462"/>
          <seriesInfo name="DOI" value="10.17487/RFC9462"/>
        </reference>
        <reference anchor="RFC8792">
          <front>
            <title>Handling Long Lines in Content of Internet-Drafts and RFCs</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="E. Auerswald" initials="E." surname="Auerswald"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <author fullname="Q. Wu" initials="Q." surname="Wu"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8792"/>
          <seriesInfo name="DOI" value="10.17487/RFC8792"/>
        </reference>
        <reference anchor="RFC5625">
          <front>
            <title>DNS Proxy Implementation Guidelines</title>
            <author fullname="R. Bellis" initials="R." surname="Bellis"/>
            <date month="August" year="2009"/>
            <abstract>
              <t>This document provides guidelines for the implementation of DNS proxies, as found in broadband gateways and other similar network devices. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="152"/>
          <seriesInfo name="RFC" value="5625"/>
          <seriesInfo name="DOI" value="10.17487/RFC5625"/>
        </reference>
        <reference anchor="RFC9606">
          <front>
            <title>DNS Resolver Information</title>
            <author fullname="T. Reddy.K" initials="T." surname="Reddy.K"/>
            <author fullname="M. Boucadair" initials="M." surname="Boucadair"/>
            <date month="June" year="2024"/>
            <abstract>
              <t>This document specifies a method for DNS resolvers to publish information about themselves. DNS clients can use the resolver information to identify the capabilities of DNS resolvers. How DNS clients use such information is beyond the scope of this document.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9606"/>
          <seriesInfo name="DOI" value="10.17487/RFC9606"/>
        </reference>
      </references>
    </references>
    <?line 771?>

<section anchor="interoperation-with-rpz-servers">
      <name>Interoperation with RPZ Servers</name>
      <t>This appendix provides a non-normative guidance for operation with a Response Policy Zones (RPZ) server <xref target="RPZ"/> that
indicates filtering with a NXDOMAIN response with the Recursion
Available bit cleared (RA=0). This guidance is provided to ease interoperation with RPZ.</t>
      <t>When a DNS client supports this specification, it includes the
SDE option in its DNS query.</t>
      <t>If the server does not support this specification and is performing
RPZ filtering, the server ignores the SDE option in the DNS query and
replies with NXDOMAIN and RA=0. The DNS client can continue to accept
such responses.</t>
      <t>If the server does support this specification and is performing RPZ
filtering, the server can use the SDE option in the query to identify
an SDE-aware client and respond appropriately (that is, by generating
a response described in <xref target="server-response"/>) as NXDOMAIN and RA=0
are not necessary when generating a response to such a client.</t>
    </section>
    <section anchor="implementation-status">
      <name>Implementation Status</name>
      <ul empty="true">
        <li>
          <t>Note to the RFC Editor: please remove this appendix prior publication.</t>
        </li>
      </ul>
      <t>At IETF#116, Gianpaolo Scalone (Vodafone) and Ralf Weber (Akamai) presented an implementation of this specification. More details can be found at <xref target="Impl-1"/>.</t>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>Thanks to Vittorio Bertola, Wes Hardaker, Ben Schwartz, Erid Orth,
Viktor Dukhovni, Warren Kumari, Paul Wouters, John Levine, Bob
Harold, Mukund Sivaraman, Gianpaolo Angelo Scalone, Mark Nottingham, Stephane Bortzmeyer, Daniel Migault, Lars Eggert, and Stephen Farrell for the comments.</t>
      <t>Thanks to Ralf Weber and Gianpaolo Scalone for sharing details about their implementation.</t>
      <t>Thanks Petr Špaček, Di Ma and Matt Brown for the DNSDIR reviews, Joseph Salowey for the SECDIR review, and Paul Kyzivat for the ARTART reviews.</t>
      <t>Thanks to Éric Vyncke for the AD review.</t>
      <t>Thanks to Mike Bishop, Roman Danyliw, Mahesh Jethanandani, Andy Newton, and Deb Cooley for the IESG review.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIACEOUGoAA9V92Xrb2JXuPZ5iN31hMU3SlqeyVUk6siXHSmxLkeRUhs53
CiRBCSUQYABQssrlvj8X5x36Wc7wXmf9a609gaDsDH3R+uorkyCwh7XXPGE8
Hidt3hbZnhmctfV61q7rbG4O67qqzUHapmZBH17nRZvh+sH7s0GSTqd1dh0/
QD/IQ4NklrbZRVXf7pmmnSfr1Zy+N3vm+YvdJ0kyr2ZluqTZ5nW6aMd51i7G
87KpVuPGDYYL4wyDjR89TZr1dJk3TV6V7e2KHjw6PH+dlOvlNKv3Eoy9l8yq
ssnKZk2z0CBZQmt7nKR1ltIaj0paeZm1g+Smqq8u6mq9oqtY7vEqq9OWxm3M
d/RTXl6YX+PnQXKV3dLN873EjM2rddNWy6w22Ue6P8/KWYbLRyXBZUkbn2ez
HIvDxbZOy2ZFE5ezW3zPyjqfXdJNiyybT9PZVZJcZ+WaVmyMXQlvfkAXZHeD
zlKMWaZ5Ye/7FeA1qeoL/JDWs0v64bJtV83egwe4D5fy62xib3uACw+mdXXT
ZA94hAd48iJvL9dTepbBf3MhJ/Dgq44Ezxc40TaYOxpnIsNP8urrRvy6uyaX
7bIYJEnTpuX8f6RFVRK0brMmWeV75s9tNRuZpqrbOls09Ol2qR9aOoF2ZGbV
cpmVLV0hBFymqxWB+C9Jkq7by6rGOdOujFmsi0Kw8yAtzXd0D18mQKZl/iPj
yp55ldOYH83ZbdNmSxrwqJxN+DZLFnIDX5pV67IFJXwo85bw4KwF5Ey1MPuE
Uvks5bsye8RpeUNz/uoC3ye05MHmws7zer1Mi6y5SWtzms3ntz1LfF9d5TL0
LG9p9pdpeUEQqzO+VmcXfNdv07okAr9K46UelfM8XtdVVc7bvL5zXe+zvDCv
quqqZzlEaOX4D7NLWkXWC5bf0q7n1TKatMx4rurqV2VFe83o82R91TPzu+oy
BSG+rNazdJ7mdd8Kajc3YUSWEe6eZmVJ2CPLmdM4j58+fPgwXt5remyWRcta
ymyTqZ3tVxWPLWBJkpK4Ak16TTSe5Mwj7Ddjjvbf74+J8+zxiEbZ7kFFQ5fm
PQ2rSGV26KahOUlrukbci5Ds8GOblfOQzxKw57p+49BY/sb2QxcMA6xgoLOn
9QXgYEn45uZmkqdlKmyD+O1FyRQDtjFeuaV0vk4+gizvZbq8gHPP/PKYSZtF
WjQZwHB68qcYAqdZswIHNydVkc9uzZ+ItvsXScPXqx8nAGzv0EfLVTHejUcf
fKCRieIc5BpzXpl8uaqr68y8BG8Ev6W7agKz5fFE/e2lIbkBqWGmaUOwJ7oD
Jhp6ss1mAOkWWNKqUpIFs6us9qx4SWhHEz3Y3X1GvJqAl9OqHzRFTnAa00Xl
fQ6CzZjWWGQ4BD6+MU27qpq0GG88IzJ2TPdsf1pxWyH2+OH44ePxo4ePHifJ
eDwm3tVgwW2SAEwLFveASt6YG5qsuCU5tyqqW8gywr3rtM6rdUOsJG3o5EYm
L2fFeg6GaUHWZLN1TdzHELs2KznYDAQx40VNzJvqJrvO6pHOprhdKy40JGRm
V8ZLAuOoiWQt1kAIZ9Z0aI1pK7Mm7KtZNJj2MtN18VLx1e1nkhx+zBscg1lm
YEh5s+TngQy0Twj5goigJfWFdtwSzfPPfq5ZSv+ay7ReJrRSkv1pQcDJFzzP
tKjozOONAIRYx5vz8xO+Wq0JBM0kSc4v6ScSR2vAw6ieZE5fv2JVyUxvDYgw
LbDaWZHjpma9WpGQ4wEtaPAzJj/8w/np/vic/qH9ZsWccD7h65usI9iw3SRB
CzdHpz8xZ+vZZWJvmZFMnBL2pzWIgZaHB3RhAPw8bwh4hCIjU1QXF/iX5lo3
gjNJRbfXZrWuCYl5/8C7ZT6fF0S690jstHU1XzNZhVjYGJBchH0p419GuEVk
7VAwm1xMRjipVZWXbWLxb2RYIWvTwm9sxOv1WF5nf13ntWyqSG+SCE/fC0KP
hQc4tG6qYi3KY0NAMimdMg1xQ+jQYPQE+1lDMTQnpBXQSPioSoPZOTohBl+D
rtaEJY7PEA0uFvmMJAdwix9pmVcJJRtwJ2a83dUwgeUZT20qVmyzhHbj9xgR
14TATWC8JMXWzj0yG5Rvjw4HnTSQTwps7Dadgn1iunQ+z7FUpgTc7gBOejkd
aoHZRAlPzrL6OifueiLoVwMUZyfNENovqUMYgYnIpDMiEqa9BovE2uYsKIlk
1hmup4keG0OGYFQpWhKaQh6RclMYwJ3AsyPIQWcb8qAkvYCmPjTEiCvAVlX6
daMAUyhjG5gjYCPJoeMItGF7fOl8mRNLoVNsIWYK8Lf0wkK/kb3Tpi7T1k4X
QHyZ3hKzbS6xuTqbZaQ2mCWUtpApBVwQR7BuFf2CcfhxQs9rllTTAgh3A2nm
WSHRHp9U9jEFbo3wDHZJEsCxAV1uvCkGfFFUNwVdoVn9ufCukhvCDMifMiPx
UNx63i6P9rPpFBjT5rM12S+JjnbDBCUPT0QYM9iC/Y8wxi2zpdllRaefYIYG
SCm8xmE2EQRmIVxcEzhIMSAu3XqY3LXbxILS7SpkI8TneIRoVVlLBkHyWmVP
TFWB1CERPqvzKUs28+lTpoJpTKrFZZn/dZ01nz+P7BAJ1kdbwmbrjLi+4Djz
dZb3rMQ25qVIoJGz2EfmFVnGVS3cGKsixmz2y+aGRptni7y0CzhThvMEXPVf
SAxBCn3+HAhqWgtBVxS7qqTTZcTUow82Wc2IKzE7JfRkMS4ixMljEA5gS4bG
RUkH1wdcAuH7imiipa/m5pLsaLaQheV70UoUzMxubnYWsrejE3AkuqfZyZrh
KHn/h4Pjd/tH74GC2XLFGgl2TwdFbFmwIO0F51DAb4V/cnNZEQ7lJNqwOXu4
dFJEl5eEr0XeksZpcMKzrIPuvINE2ZGjCozBz4+IF98I5bKAT0ky0oNXQK2A
bvkMby5vdV3xYDk91oI6JyZWLSymNRjWImASKAHMQuSMCOz7jSEC6qLFM0D+
3wgtvvnm6RNgJj1M0CwsS7JqiBXAghTMzPET4OPwQueleTJw+ZTgF7pOBA58
hHQyt3IizSjgEjRr2gj5kxCl4xcGVuBjTWx/ni6Jt9PKRKcQuUDDpI6LQwE5
LhmdsGphGFNCpkXeNvZquqKVpgybgFbbCLi5KIhFThDghVxCpOJsq2RAeFot
BirSVrSkfl1Qzov+o7lywkoS7DkMT1GuGq8ACJBxo13ZTbUmVY/UspQ5W2W1
MBKPy4wOurwgS1lxeglYX2Si/ciDdNB2tRAAdB4ty1yWKYlfty7RTdteEq2m
11U+b8IdE3gIa4uCEI0epYOoq6pNZhmdG6k1AI+YqsBb1jhB/Efn4yWJtwt2
prGE3FCOQwwWTstwXAJeZTYmOTLn/cPwUopJevRhQueQsZ3Twjf0b4/xj2JG
OFIabtLbpsv0MefGfDjSUpkKVnu5pm2yr3JNhIOndgB+gki1ZA4GzZoObLi5
/SpjmoRawI6seUesgNE6osLJK5HzvNOMeWiXwhzzriIuR7rC5a1TuhJwJ9Yr
68zL4ySBxv6qKlWvFbXzANKENcEGG8jMFZEn/KiNGbz7cHY+GMm/5v0xfz49
/N2Ho9PDA3w+e7P/9q37kOgdZ2+OP7w98J/8k6+O3707fH8gD9NVE11KBu/2
/zgQPB8cn5wfHb/ffzvYpF1sirY/ZU6R1SuSrHQMaZNE9P7y1cn//k8yyAR5
Hu3uvvj82WLS7jeEGQSxrJTZWCzKV3CnhAgmS2uMAqqYpaucyINYGXGvhjh+
aYjtZATPn/0ZkPnLnvn5dLbaffJLvYANRxctzKKLDLPNKxsPCxB7LvVM46AZ
Xe9AOl7v/h+j7xbuwcWf/xsZs5kZ7z7/t18mGwYwjH46BVaNnF4CPD/PIF4q
UrZuFe4vnrygQyC4DQ7LWX27ajU0QQSyUI8ACw73YzO7JAaqXO6a8BLjKj9s
RkmkC+OnCsqWsOmdg+rNkOaF7Hv+5DlzAnfL+Vu+4dze8M3zp89xA4lpdw+d
2Cvc9Dt704tHTx/y6iMGFC69z2jfOTw4HKptAhmllvSIGQNdSI7evz4evzo+
OAR2rbA45omPNxnfIFIDQS+qN4KarL5o6cdqkgMhFzB+NgxZSC9YkesMaHae
DINBzc7u02E4Ml14NuwOTxe/GQ4IKEcdKqUHrfcjsnbpeK/TYs38Nzz4jt9L
cSmxcRqSNayQeHNPPRmAtE7E+h/YNG4kEi4gu5hhix15k00TCarUQ9ZjYZIv
gdpE0+z1IBYAjWIUOrBECEdSQ0A5ClwnCfwbM6AsHAMEjr4Ym9k5Ay5AIBOq
0OWdh0MyclQSzXm1tPI+bxHWUZJyy3r6otdxNDFnWSY2MQnDg0MhNEweGUch
zDEMtLNbq5vnwDzMK74IOAZx2gTVRX7hfVbW8gKknAuRf5k7YQI/lpd01tGB
JR2dP0AYjuQ18Y102V1Q6PsmVQS3hMtjohc7m4+ZlkdCc87uNqK9MRspoo6z
QkgK+ayAY5yAxGeRBIagX7zFM3apOVOZf1H/BU97nYOQ+zd2j+Hy2v107ixC
XiVxjbw2b0nhbDV8+elen/UoXjTvUFX/nbMX4GCkjfL6Ba9TM60uiL53+PDh
jiHCGYhdNRi6oUbG2VSM06OuaTUx+zTAyFj9VWfObcx0q73oVkQDJT08EFZZ
bLWGbO0QmqkgdZOREkTqJekelylZ70UALZ6dnYp0ouumsVo9EBbnJaQzbUQN
5AO5Z5TB2VCFajg9jt4LYY3WtCJFGJ4SWpW3S9UFlLCdZDk+hM3O2VDJgTAH
SrO3qcRmFo9P7OFOnI3lfWZyB7AAnERdKsq8NIoxnJgjoX9SwlsESGkXYH4i
ox6/eP7s8+eE1q1rMx9O32KLU+thELW/4+wXBT7RqVzs/KTOiHxo34d/Xecr
Fnc7r06IhdGZWrfpkGBG5waIpIHFxCYF6feWW2EtiYP5goxQ8UOrj07hXvOu
BH5pqxBQIwYrZq8toIU44q04ATAy5M9C5I9wV9EBaO93btjATUEEIA5LnKCP
B8guvEIxMXC+klosolO9OWn/zXfPyiqTmlrFbeJ9ITC7TGR2MfOtBW5MYFDO
V2leixnkrbXosbxJ1KKDC6+MDXwyh4rszvXR6de8wlm1urUHuKrza4xNC5gk
B14WQJUCA24u06tM9o2gVxqE4brjL0mOLfJMzLFg3YligZPtlqgICjuE+oir
NPCXiDbVWZVHqn4blj1TbOmnLcd1zc9wohKi4JgpxH8N2ld9glCJOMXZ4atx
ygFEDomJ/tGwLgdLgJSZfK5qxsHxL3bZ+xTa3FMYfxmMymyxAHMiLKNrHJCS
4SXCh0yYOrM2aptduDAcjG9YbLNcYieRfIBHRwIVBBJlZJByRnIGrBRh4Ewz
y2+gXU8UCOdKnlamMw16xNl2ijc5mUbMpSMGJhMLBO83AfscOa6FBABRI3EF
DIrRxfMyRTllhdbPEmhgPPcUCEJKASDKplneyg9kIsNBEbJgWgkhlnje7MQc
ByTccB4dFTFlwLiFP4hskG1aqL0KdKJ0GyFWpaM7cCaBDXsPzHXOar5T/2gv
1+IECxCyyK+yKNxDRg+P0cB1Dov0bAkL9Rjhp+zBG9wpn0nXPH5zPGQZz/c8
eJfN87Uka5hDsZuJt9N97w6HHFhSP3HKSAUAaXCHAE3HnEMJVgko0fPLrD8G
bAIBaVGKIcuHozqzHyP0Vqlo8/QnlK4WHYGMRiQt3qgWD3tNMik0dBAo/UMh
Q1rUugDwwavDo/F0q+THmop4rC8Io+C5iXCu43DZEOoyzKIvfmBxJgC7PU+S
cYIQJN1vEaEj88UiIkFLZSQcfN7PpnsmjmQdcMovj85FXaY1vKumYPMHQqvv
+D4R4O8O3g01p0CGIzUyCImX6t3O24zTr2jnLxnJ/0g0Yo6J48mYMsTOyz8e
H5D2M8tK5BZIgFIDi6MOM47AT7olbVsGmWYmEldH1bldG4t4wDl1wsNvpSUS
sKDdD6jW+d2uyurGWL+7gpHZByxt4ZpwHJVzpSpOSCSeU7bF7YgDe2RIZBDN
BVzd6uEWR2pm9TM48VgRKTW5RVWUiXldr9nosmqXWyBGbuiZ2aVqkWnBgc9W
oeriykCDasHWEWFj7DxML2CWtC69BdFrfnpFeH/J5sGqgnIlBwvuSjKA7Rey
F2i9YaqHPglpOrulla9r0BPCmKPo2MSnD6dkXsapHESzsytL1XW1vrjseVCd
saykmWkaRsKRxkLnS8xewdjjm+csguCg7bR9MwZUDcddGUOfsGit+L7p+d4c
ppKwe9MqFk7MQcX2RsURIImzYVMwwOKdWcjK9lRMzeqMvdapB8D1uoAaSFSL
b3zyWOjUbuQjSQXOukOo3Lw7On8H6ZTOribmu0uOk3b3RPcGmpAgeHgiH1ek
wjcd1ETAh8C6w9g13ISTk/BldrMFZJHl5UxO8TF9tf1V+idt3A8qU+iBKKrq
ar3CUwtEwDqhDtYYgPTEvSFomURF32JPbyhonFLnhcJII1V2bW65LMQwoR1s
dpnNrpog3pr3KZXBbDVhdhal7lgh6bIZ7NjRejpZIUFomdcYwcxbWpp4Q+Mo
w/Kal66Hd4SsF/gjFYwcAoVrrKuPXqxThOMySYeVZTpY6YDAIWJXJNA0sgXd
dI0UiSkxtoyRlYyeNTxvrN92gewYUA/fBF+PArQgB2XFIlQgT5hLC2/v8nHV
6azWagXM13FtqIo1x9rUo1syAZNYUrdFj4T4W/iwY8FMQ86VEqSOskO5GQoh
3ZVMwMM5N633viRbcwasw0dsW8tqOggqBJr47KGe3BbGBTZw4IjgESQZHItu
tixbFaFmDXkXGHPeBZREnp/pmlgc0dfO7lAsxEek7U51dj4wwjsonJE2AP6V
fUTCjLpiStFrxcJTw0NuUHPB+WnwaOyrsf6J12EcIoIYs/BOZlRqk2UkTUn5
gPWE2DIMl582eCcCfqDgbzPJ9kmcRc+wIjWADETkYjTVosUDIzM4UVVAn2WN
J0ZqPJvgB0lYdAZVn+or8oZTMNrZJFK5mDI1fG7h7FKTXLLiQrXUyP/LJJNC
J06ZOBDdbCdJxAHCxUgkSLAzdCR2A7c2TYXErktfZETJBR0C1zozSR/PrSsc
FTSohCWcOqPFXwrUbXIR0z0B7wXzzDQYfZRsxLuDWLjsRnyXLpujsWq49/En
7ONHoiSN4FNLbRas4FYHUnT9ok6X+CaeJmEw7K2DFhJlyNoYCcRkuGsbjhiO
xHOUpNbZuuiCQ7gt6YyGpi2R8DEynRhQIjGg8ZzYHMkB57lX1AhWr4LIGumy
Fk0dbBLWjywIOHoLROOkTIZj5CyAtM/ZnNT8vHlSiV/JC7axUlbHlmW3/tH4
N2fH7zvJAq85WeDTPTgzxljlZ2bZfCeKAhrx4wsfCLzXjOJ5WrpEto1NSkjj
OnOrlYXO7e88VJjEC6VTT6npHVDiip8+yQNj9asQycBtH2ZfbGZDRBSG/FHZ
YTX9IWMWCd49DxxyNmVUbtsR0A1tzNZivoz6zZMXjzWg2kdEsWufxwOwm70k
me2ZHeUuw2SPPVh/A7ORXK0oMBTnz/d4nHJO56HnOBep6uRlsBaDYwBJEVcn
DcW7902RXRBPBXOxigr2Ied4UbUu/1wzZG/qiulb1iZnONFduhQVPYe0rlP2
Cdrtfzg9atQiWK6LNl8Vm6DRYgh2tRJHgbYSPA4/FYFI2ATnVbCZguIReKR5
wkwTmxVr/FKwzlfBUjy31lsHs4FughMloCNgTgn0N1zk1GheHOJEXHujAwJV
9uRkHBjEfZbCDfAD4cQPpLo5mAEz7n84fz1+fn9sEVUQ7+nui+eEzpzZ47my
zdfNgxKEKF7ogoSb64hy3GhTyN5ivkN6sDqlMEWzno69zpPkPmcC+dfW+20n
d3rYZkjN4kOvYLQJMwGckQEyzSQDACZouYKiVCV9Uk95FTurm83ovU/ExqIB
ILDOalZ5R6FdXRCbd7F2GOOzWVXPNecZfvT+RIFRouH4UD9Swna704CghOG7
PjrIb1fRkJMywFlQqFwCYLGAsirHjCLMBVGByKimOe15KYaTzs35IXOy3qYc
r6EbNFevgPRFVgPUcx9TltgqahnLi2ZoWbgNI0Z6Iu2H+JHAD/7CO/C8ITx3
eAQc31cxJnFvoVvLjmOEU8yK8LXjVYL71yOXjKo7k4IOF8Rl7grytE5Iod1a
igkilD2jVYQmjCdt+oV/uJu29zoMzfFWNjLY6C9QdoMbUs1ht8FMZxz6IKik
18H0Cnxnzm1mqyWGIzqihk/XnB0cRg4LS5nssR40A1yDBCY8FqtRmV0TMTvN
YYLuTmbeEvmz8U7Yfcr6C45BVN/BD9EYloj7TTFG1I8u8ZLFD5xbngMJxAiN
KkKjMNWij1sKg1ygtA6WM0stm3kbPBomBnCawCaCcbb0nWhd0HqI/V6sCZes
TB8Udu8h7ZBNqPdFpS4shdzSATZOVKp0CJKKPCYjc4eJ2NNh14sLY7lZ2vRC
GMNHq1h1s6wfTXatKf302ZNnfdhsUwBFLGS5Y2xYKe3AL1TlM9OxZpvxoVoJ
GuyM9SE224XraEZkqckzyewyheMRedPGjWODZ6yHEB4T3titjlCSQfOGyVVR
9hDSz0leQMMmVozaelaZU2J4KL/U5bq9mHf7f8RUEYd2NscI7OkHzV1WHi+o
vFFmYUWDqIuV5DDT/DOyOS2vW6YfiQMsObPqIVHuj5lN3Ptm96ktyvDBdlZa
lLVpPuU00wxPpPI3ZKs0nHK0h4XNYKGG56CPWuyjY0miYxE/G2DH+CL6sBTD
NCPvdlqlCHPQIMixTKbEfK4a5yfjh1TZaoYTcwysucmVN9SZaIJ13lx5qyD2
VF5k8A+kF0tW5vR8eFhW++PiwCAPXU+EpWhQFyjlgFiBY0NQU5vWVukQ8KrW
JmapBZ5bX2EUETvfEE9NkH4TWOfqR0Qwal2K75qNTFFn1dFF9MInJHiz0gy0
jieqVIeTiobAM8nOOAW6CoWxlCjMPY8OpcTmr+yUDHCscOJGJDVt+ZeQ1S7W
g7WSUtJxA8RS29UJ4GhY9rLj/ZDkkUBM0a+xEZbAD60OBZ6D5dMU7HbJAV2B
Sd46ixqqQ2EzEB2gnNLARoKdlY0UKe2JFstiJnOuBO+48rcwMZOigOxr3pok
bMIYqrPM72uoQYQ1UCAwqkl1c8WDZGG/J1h4w1ADJl0lZSGD7DQ+PZJ1Dx7w
8+eh9TQoL7csvnE5CHY+Jgop7pF0ADQckDRNgJrXMNlYlBUuTCXsqiBUJKM2
q8eQ8mb/7NXRkfGcGnhJ9mIzYnZyebsieTEmNoIEP8c+PhAh4CT8Y+bDvz58
+GzXhcIePvxmf5Tg4uOH7iJ/fSGcCZ8fHQxt0p8gUbBkAuSzx4EEAY9i1qgZ
OeJRCdLKMcTtNh6qxUHrmWjyxNrX1rXouXjMwS0jS8DKJ3TymrUcMnWNb6hj
mIm+RM6JZXnqAIG04OouSU1nr86JtVpcQxlGuVdii/xa5ARWdSruEvPpXsd/
kiSsll74W1Ov7Ix8HhGf2h0OmkTFj5XhwLs78oc1ZSSuAkS+74h4EJsiCNbh
cXGSSpROzTfHv9kXr1VwdFrKZtg1aJ1jWZikrw4P2oLybtFQZk4jhI4cJzPb
mtnAVwV2pElOSRxYsJvn1OhgJKeHeLkGoMeGed4EieES3uJMnluVch0nRNet
6lKqg4kb59xC6ghbrIxBENzJ5hkKvzqT7UTIo6v+dE/2Orb7sOjTCQLa8nno
V9G2OXIg56UMdh8kuU9/PoMJlUb1XI51ONqEHfQx9vVgU2WnsNJGD9lc3gEm
JSSMYQkPuxE6DvnJYYaZ+FrvatMxLX7pjFo5CUQ55DILLafadEwOfZAyAI1Y
XY1FEWaAdHJhFYSreogrIqBf27AYrfbDCu1k0qUYpzz4YNSdrUOUgZWlZbHb
XKYWb8AGPRVLJHJL4VsHv3hc66iP0MyRuE3Jh+vIkbTNn+rG1z1Vfzg4EeYd
Ze1v7k2FM2sJkVLp+LUSjFW1k4gr78jpIRiVtUwH5680NdJldbKQWeQ1CtI1
JOtlRDQnq/J0bNUyb51nY9PAI/61gF4Y3RacDtwi6N0w6aZ9auOA6nxE/3vD
2HJQ/W7kOZ6sIExGh4lGJ5FfwQtEy5aKWPzM86soWoQIcJeb3RNMwEVvUglU
uYhNyAuZUDZwlmEahoP0xj4ciz37ZeAoDJPQAt59hwRTFYpXWiN3ziZeSFyI
57PRGkwVRUV8n4xoSQjlupiwVMT0st0zHQusTbOyG06KPD9/a4002n6YqugS
0Z2uuvsQ+h+Zn+hpUUlcKvNpBRqSxdJJT14LFtgeeRNzxtoOzddI6QhrJaQ3
Iuw7T1eti6LOb0nBymdGmmrxunSOTSczKYAAgbQOQBIj7ia6hXsqUxZvO48w
SnPmpqab2LJY4Cnzi0UtiW2jJAALISiUw8o8c9sng/Xisg0MMS1DnaYFUGck
BCqhYka5okrnGhmUeDvnMXs/mgQ8i+yjRQbAxkKuIyeU1zZdStgawNpgKChB
tVjAXCIumevLPHDWkEf1BEBnTT+dX6ckuy5Y0JDQud+I7dlUMARb1nLsYBJX
ws4FqZKgBi8QQANSuTlGkiMD5kJKD7ikjpeauKUiQKplhQeHY6WBoKsQ2/d+
6QQhmBiqknEPoXmd3qB/4dd1rZgECokXnr0gk+QqnNW8T0UbJRrqGYFNj8Cj
tWywcMxabbXtqpnljH1+gsjC24x30gFxTq13e7ZV8hXbirig9bTmHFn5YV1q
7ih4Wc4JCmxWRlPLtgS7ZWUud3p6q8VxUqYUbieJFhoschJaJCc+QBMolUoR
PnrzGQ0SJHS8an3+TeAVksYZga7L+SNpoI+POrFXrnqBDjPz0s/r21W/Ur2X
JLtOI4nkee6q4iW8/QV7Y6T+2DCc5GWVDfvfJV5dghpuwki0AptvSTAHdtBF
KUtRHJKGRLaSxWa+cNKL/aJ+V3ZgSiI6j3Abe69c8lOw/1I2l7fODYjwGAOX
M5FdkscindZ2RXSUgcETxP1sgVjeFKRXMoOQgCnvNLgRVVtouWf7DNW+JiK4
bajGE5fANwqbqs4vJBnXJWbZQbQhA8Cv3t46U20frD7IwhEgfbEqOGw29mji
AonehsHZS6mjt2QCgwCTfFnb31I7DUbt2XaokPDJePdnr+qPgG7ezFKiF+h0
jyfmLNR0vqjOqPQFS9cuD97hjOk3a37PKy0c6lO5uFHHKKAb5+lWBYeDYJJx
hYlYNfOoq2FPOQKbbBJUzLHXuB8QRG+S+sEcQDtkcNos+5GCgK7lBhJplYdG
odrJx40DbB0JSwhbnoh4tlV98zYOMvdrrH4Kwltbrxhqz33bWpcBhARqTTcs
FFS3JskTxwTDzBlFXTZmfZjQlSbFeQLCsQAlK/jSJpZuYsbNGAdK9iNv5gxg
GOlGgEE3YSwBch/bsF4Rt7yEK20EL0h5yeKcAdA9VFk+aJHxvZatlEF1tfin
DkobQHcJnI7cW9JpU/amukUCthhXHJhe9QA9N/JvvuBgqD6gS3R5WdbKQuYV
82B2jYiibBOBYT9Gp2gdpSHRP/vCeQcpMHBQ0XLg6gmTZjA9A8tmxYi0DDNj
MHw3O8YH4FNpGWwzHkhfsAcT5eaI3RsMbOeTqFDCdQt8wryxb9zGnNiovL/B
p6NrCjZ9E5KwmYWkW2JImbViFrguc8nPlKxnl/PqI6tPXYry492HtEfuTRA+
CtBDgbi1fuEnzx6xA8kubAuKexSJvQhWV2iyUFMl+UiIACx2Ka9Os+PkLxo1
0Cg4PMBptKIsuITOdOp8pk4Iu/JOZUx9Thz4Au7Ql8LaJhtY1NrZaPCY6Inr
hdwuZkPa9zOtfV+tyPkXPyFxSMU/27wD2arrpYZbhaVwVLBLz2SbZmOJvRM/
JUx7HgFBlyuZHmW4o3jnygUDZOzFvFS7izukIxgscu17cVCdwx+5Bfu48H1j
CQfVG3UZBauxZcDLvM0v2BQXWYtoKdoSEpdp5nXFHc2FqdrikDkxGZl9R0Ue
wuylhDDFLpfMpagBIjE37SgZQESFRnqNHvOEl8M4waTZJJIOSvQ14+riJp3X
i0k33SukNuZyjE1BVEw8P0GPLFWKOErq6rRFGMpxSYvUPq6hB9iIT7rbZUL5
BucIc54Q4Qkd87caQUexyjQjBCm1f5pEhQWAy3Ru8eKNevi3x2VsR5djsape
a6rrPcRmJGTyFQ/78MPa9kV1YaQqsYGVqEeMpie7/jDb/NIcAe9rzyFKgcys
wZ3A+aLVPNIXanywf74vp60X3h6+//X5myCRJuEwEjtzH5K95J33vmVL5OVk
e5QT8X7M6iqJh2U8auhwS25Z6Nl3uJyviEfRDNbFtCU0lTj3Zker2VTyt2g1
G/Egg0hwN/fNt1vrNJLqT3tGtJ/FfCCm/ZDsPpDGPz0JdcDXU/HIIlNdU+/V
RzsnnNTAd5wjKIw6dINwIhI4spVAI1Cu4oWmQMps2nRZQ6o0oraGd5NrZavS
g/iSNk/Eeq3DbrKxQp9aszFoIIwnKzuxIoHEPm097Y44R+OLKroKbvjPncxs
X5281ZovDTyn5i0/uU/GiNuqdMjFXHZAm3l+dkKQKzIbhhUVUpQHTW/wrzPp
AdW8bP5hMCmQXPLtVjh5oem7Ws5zVGJltsCIBf6WAx7IGm+kEJWooZ6PpbGU
Sgp1NwhXc7SxyYuarRU1vq7cwtsnwURMP7S9whq6+BUM5vzl/q4Zm7v9BL5c
1efprsvU5TNwW5ZO554k9Cf73NPKNYvhzkK2G3ZpM/aKrkckiXtjr8PVRUcV
J5Rr8nlvEWpqcXTscs05K6uqb2C91Hg+CCy6vsy+Mbc7yiDls/G1Z1rZZisQ
LGa5CSwHAcmFbebCPThk69kx06RERFZFOsuMutCSL/l7zA7Oe2hDhLogtPKS
k1O9IFaHSHoFPdJH/dKAOAQknt3ivGeYJDmKmts1NuFCPTdeErkUN87nvyRb
KitcRDjpAUjQPnRO6MfNf1ytrn/hBRZlNdFE/LFwqHTiAiReVmZX+g5u+pWZ
noicuMyR6BTlf/KFe2JaccnqndoerblPuKB3TQj37ps4VViczoP9QZS4wFrN
fftYVV/c5wQPi7IaweBfxz80VclL+w/8JZ9IzyfLbs/8mavUB21W7P3r46fP
x0+fPh3vPnr85Omzb/D2j7/Am0fWH14N414PIg4ATP7osZmnt82A72rorl3+
VOF+OzNe58RXC75aDpLPdhF75l64PnmlyS8GrKad2qKOvnIyBJk2+ZV19w8+
c5vFePNjm2FKSi5ry0jSDnxr0q+UcaiTi1pWyc1lThIFKajoR0nsKS2vOBG1
Gcoj33///f1/v0//56vmppZ3MGk4jntrfvPiUXgADP4/9wP+L6N/TwD0u2FO
9xDId/EvATyGN10rcK0cmG3QdgCxYH9nv4dw9ECc58hGBJga6eatuiPsDR8k
aUzQE9Z8Tw99HxfZO9hrqruu7ttvzfiXv3xzuH9wePrzn49pNHlt0e8+HJ7+
EX0m0xbvP/OpN/mcsA3wwqOLIr2gX/9KjHNu6vRbeQzoaPbfn313eLpnHtLH
D+dvjk+PzvWHg4MjaeFKXxOMQrqyOTk7/HBwfHb4Cj/tJd+ywbEHJw1izTyM
TPatWc9XvIRHCT/6i/OXB7tkpfTYLsM9YBG7ZIc85CE9+NTsKDPGz5++gA5C
hV9CCKHC3dEmQlh0+DzsQQc6JYsE+OjCZmfKr8JjFqutAW7c8ymBKd6OVTZo
Tac16Il22+iTaWFUbWSbifKbJsjA5ZwYmngornM0SS8qW9jYaUrd9jXCjoul
8mazZeoKnMP1Anz67NFTTe2Qn1gJcZqfaBkT05VNnCLGL2bgZZPVqVv1Ps3o
vQmC+7fhc8jW5g4nrHHchLFGKdzloG9vO27sXFxzjXXN/eBixkFGXse/qjZg
2PRVpOpG33+rNEOzl+5l2yJStAt42upcUzJtjWRP7M16baRdtC1i51actg+W
FBLZMbhwv98dY3m39b7PBnAicsJsZiNsrpYNGu7LdHbF5/MqjAAlNkCtJdp8
tNaocx320eBlLq8okSJOO5P4QW2eQAfVJALsXr8DxBTLfF2i+L8MHT2cdt2r
Twyj8PYHSQnRuoBO1bdtmGJ7pGndWW7TCtXzmOsrcnzx0Uha8vcAlsOg9inG
BknKUXUrR4s6V2MfpymxY8+BVbBIerfk1VxLB10OQOY6iaqDwfpCnU94EDjl
zZm44Afemb/h5m9t+YtGHcSpCS4EJ8mYzKRsHjr6WW87s8gdszNOS9XSGj6N
/chfzATIne7m0sCEEcuNNYvH2nzxRJhhtnI6dg47Qey7SZzzRYaT4pc2t0K+
HocLhLWGpBcUMWguCVlmkWOWo2kItCMhUDM5CpLh7GW+q72AmB9aNBIOOdra
MMBlK7iUsm4+4VDeyxXeacNHrhEImmnuTh5boDxBKRnXBuEFGRNjPtgakyYs
lhptwEZbYXQWGiRvsdWTN1fcca6a5QwvxvwA4kGgU2xtCQdzARaUrCWyIoks
gGeAlEQ84pyJqM+RWjSS0KFcV1scuXILFdHpRs7SFouEXVzsIc61e/OBljAh
NXgWZR+RJGE9G9aL5foScfeCyxVA9comH7xLuv0AEV60rxLQF8v5AI2zm+E1
Q4sbNI0u28RnE3bKovlNDlsEk6aXBYV5gLs13L1YTs10TZbWmJZueVDNrf5a
eDDsK5LqxlbAcIJro3EqSSPg/CHfWmZzQwCDf7letxVO0CEGVrvzisRdTnxA
NHifVeoTbRKGR6HdefXlWFia9DMNHTIph0B83+AsztbRHJn44NivLt3NrBqK
UpfV7Y2+aMK1bLKrly65/lQaFrR4s0n/+EYa7CRI0ZMsa9KYJ0nc7RJ5n3MN
hoQvhHEh66QHHTczndRBMs20aq+ThNMkml3T7QI243QnvDEyIACPttq2lUVh
YgvbvIdrpB6csPzOWkUuNUdnTLzDue92H1TsUJitGUy3U0ZHIAUyx9WgOr3K
qpXaOjZxEXoXjhx1O0RwuodrzXdHTNimUuqcluPGgU5mUNVgIxGDc1iXnH1a
6nL5ZVtaBmqrz9g8wap2uAcix/dgpV81FtBNlqjibN/zw8lZpSbzNbwKeREF
fXlz/u7tZFsrFZCoohViYgmvwc2r00b901nHLyVRNRWXTtQvkoMgxPets500
GtSGQWOOcnOYPyf9/HljofY1Ll/KUkD+n6Yn0FG9UjXPJxVKVwzXBUJWGkRW
eQecQ0Gw5Ji881pupmjZVpF4QTGC65whngau1MpHuLQ3jU22gkTldpCVONVF
s+WWrXL2tEXSysbVYmwDwXW2KFQFUwnMsiDoG0Aj1+nK2T0C7doLUcArVElt
VghSU8mO17ILvFi5rQau65ZYy0H2hH1Mk958DruDrjSoD6CK9+9FnUe7BxMe
fpSj9D0R0vf9bMNWzATJQi68lgQV5wjWZ9IZ/GdBpwCuds98eoO+FjHofsB8
MZc3FaKJIsvawDiJXrk6MsennRm0NhSN24pMykPBizem6M2dAIsIync8h7HW
jmqjH07fNkOt2gqDQVsYKd57ldEVFhk+TX9zUT35PrbY1Fkw0iEzHnMz/ax7
vr6JwKYcOGL/xzS7rWzC3Kxa+a4OLnrEVdOiRTrfXnBICHewn0JsBbHZ5qIs
2tu/lMqLN9ehT46r2wrGZzZnhQTjYubfVF3VqjdiiAWCGZbDT6R1mMN+svmv
smzFqoAy9C+lzQu/9Sm1nWzITQHq3EFso0g2bxACjjkibzF6AU6nr0NVO27j
ARA0kLfvWnHdndG1dVXncWNuW1Opj52yvcKM9m12gcQPft+K9cNJSMKpe6LX
a3r2DnQzTs4eOpVkA2SSicCgp9V8vNX2RoGnT8uvoXHadpE0ksJM8uztk0n8
pHSNdX60tHULHevbdossdDejWUmV2I6NktljN7fxgpY4ZGfzd3gwCERu8Yjm
VniBAHcgdbeHHepwZi1p/WTTnR6e4a1Utqbv2cNn1tY60ZSbrlP0fEtoTDVf
33rM9QcN3iMTMhWpLG/8e3XMhnTG21ttA7Zl3jpNwHeH6llLV4I61As5y/2G
m4TSUVxkti3dV3gItlYubHUF2D7YapprcphVUiQI5nKBu6+iit+iYjPKqqke
pLQs3H+/v+nqwdXP3Qi7OkSRQnAtHZ18nUfHCI9TU+KX7UjWlmuNivehH5JY
quo9c1JwTzwbs6Wf/kB/nmPi3nK9nCJk2KBdhY2iRi/9g9KBIO7AP6g5hfYZ
EmdY/sjW6fFsA4QvBnHQUEI+XxjmjnyvQ0nckCQehhj3hLIv7mGDT3SFnmye
TprYK0nuEMc3T8E1tcGvjdk5PjkfBi5B32pkcCAJBuhloa8pNzs0wNCcpHXK
7xwPfYkXJJlX1qNIt33+TPrO77H9PTQsIkglCYbCt76d471mHLDi3+E6rudJ
wp0ZwOJxGYeJ400YfJzmcRo2Bgt6eQhCah+OrWjJ8O1GFOyORtKlF8xzENC8
n2SQCLAGW/JAAugEzen/iQC26vWFemqUiSAEIb0ryrBdiFlyG+6gEYRHHhH9
dGBud3wMUbsS26JLhIUGDazY6hQS+y5AdHZF1WzEpG2JiR2X1ybr4QEu1jm6
4ZW2o5tvhQppIRHtd5IehpWeuFQFMyUdaLFhXhfpNCuIrSyXaZ3/6F7xo/6K
INHf7w31v1x8G3gSMNeRrSRNtRVJT18gT7AO/HhF6lnI8Dvr5rBN5jK+aov4
gcbJvT6iMwkXG+DCrZhOufYFX1WrdeHdsPHRS8CAjv4nj9rmJxOB2NCFg2CX
vX8/GRPtz/yU/LQ3tn97wWf527iw+dd3yx4Na2Y0m1roP/0TWrR2GhX+FCMc
BrOCBZP/QDdE3UDpO3e3628FCk/ImvSU+BEh0K29Er+whIZu8K6un7g17t/U
pHGzM+OXpqzohkid6m76n9zR70vrKegG10ZP8O+ov5Nf4JXrdHXoS+qWJnt3
z45EACK1seabcxrA/SOht7ijlJDj/c8brZskyumsfrx/6Ojw/DU9cp3TnUGh
wJPJcxfv2n30DKUCqr/ltTY9btXf0PDLU1rbTzOKccQc9N69TfG5GSu0YtQG
CP9xQdoXj/xvIUY3vVb2fSZfkKg/E3EaPqji4GdOgoVyYKtMkYf5Oa8VbZEg
JKOBTWM2fvnt8RFnlopRSX9N5FVZfnkqSno2/LXSJQkUeTljFi98QEqqTrAE
4sPtSr7fLT02pQMLhpakvB3vPCuy1SV8c+/FAjBM1f/C77J8xkROT4iz0TIQ
7TCOi3YYeYIM1ef8hCN+FTme8HtwO+IAG1jG5vR8XeurVOZzq8dvcZF+RUSf
TmaAk0+Ejww2WNxWrrKFKdzZbFfZgysM+Cco2ndM99+DUXQkblfpTvpZBCMo
6ZYium7y2vWz74y3U3MmycPxo6dPh38HE7Gj8aPw48hJ7mvFL4dm9wJJKnDc
WtkjT0cJGJ0V//MYlheXyrNs5O+BL52rau6jdN3N81GOJxJResQZW1/ifLu6
XBxyjHp/D+cL9GplP57r/bQN8hEX9BwwYH/btebwFzC2hzyYFOT8BA+K+E3B
0LrlOp833dsYYRdL1rD1T1FXgy+3QPCNDn4yruRx8tS/ef7pi4e7yoIf0T32
dTL/pRM9xj0rGuIfmURGffLiyQsd9QmPevsPg2lj4Kd00dUCxbmV4UThkdoi
qC0n+gyGHLfH+6rRUCfUO5LKwK7q26GarxR+IP/5nJnnRjf3JtKK/w5htkVW
bPGtiaOuo8pte+u4L13aKpCS/yK/Gqkq718fj18dExsh2lE3xta/fq6yTa/a
zldYxeLqJh32bgSXmdVqMoHdlEEWCurgjGKoAVtoLoPuUuxvhoyobNa0sNrT
kz/Z9ieqcyCFnoTWx6BqhQs/S0lruRaXEpdVLrjQPxov9QncWiv3pwq+px2a
yL2A/dMn+salEGmb+Jo5b0brUJtvyvPuaAScEJ9K9m3htJkirQa5gyhYOt3/
xUObM+UWHFao2LfA5P1Qmbgk8qBi+o7uepzUE/ZGS+LaVtsq1FYeaLBWIdKt
sO6ZwL4WS3s6wVDF4TmgRW3WJNV3o0db0AbMxS8SbiqtwZbwhY5zAxhuVI0j
nuWai0iL5WyFytzZpTunpn+Df8vmcAZJ/+bCLLXNzWnPvUpTSxZ4oxZu0/eD
26yN0vZJnYeBTdJFfP9mokXfNjhJPRZu9L2Pe8bCr9BsQjKxLc+kDyXeLHGz
0Zo47OFpewXYArV7nTIAI35+X4y/GdVZ2ajOsrrWZmcBfaMxxmo9LXw59H7L
YuLe7u6zkfl1npartCoqMo9QBkE68++rebqgT+I5OU2Lhfkug0q2s3+VEjMe
muCdRGUnI93Jv06Tn3e+UbwLly6qNU4GZRLY9HiXRRGBYH/mon/SX/zTnoSl
svkvBtw5a8BCMtVkp9/nLUEir8zLrG6rIh3RghvzJq3nKb8l7yWdAFl/hBvt
jyNinvncHNft5Sj5fX4FuX6wvrqsrsucnktrYvzmt2t4vkckY9aF+a5aSzvw
31SXpXlLwrXMaMxqmtAMFfLW3q2vsJOz/BoyKS1DsO6TAeKhS/empJ/QUQIX
LtPliA6Y7O6UAP+SyObHZXaLFR+Q6kvG+bv8glbQjsxbdAA7RAVFK1E1fopW
+hoLlpC2avlLm7rg4ROcIZ7dPHNunX6ZatvLToQ4rztn7Mc+ydra/L//XKX/
939lV7TqnLYnjaDStjUva5QgBG9wOjg6RRyalBOGZkNbMGcpWrDfutvODl/5
22SvfAq/vf2RwNu6+/ZPz+k/O1y03f/zP+t8Zn5/W5K09fcf6L3Rre/wXveX
pExXq5E5JVWjBOhvi/wGJ3WZNZfmNxkxixIhNiDIfjm/harUVvr+1oNsSoK4
KoItHB2e/dpN9v8B0JlGoSGkAAA=

-->

</rfc>
